Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

CWmike writes "No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said Tuesday, countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically. Nothing is impossible. That's a pretty high standard.' Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated. 'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"

MicroSoft: A networked system with no vulnerabilities is inconceivable!

The sad truth: it's actually quite conceivable that with decentralized C&C and proper crypto that there are no central vulnerabilities and the only way to clean up the mess is by hunting down nodes one at a time, or possibly one ISP at a time. I'm eager to hear MS's "legally and technically creative" way to take that on.

While I believe that it's quite easy to remove individual nodes of the 'indestructible' botnet, I can't see a good way it could really be shut down other than by wiping it out node by node. And that's a losing strategy for the 'good guys'.

So, while I agree in principle that the word 'indestructible' is pretty strong, and likely not actually the case, that theoretical fact is useless without a concrete strategy for defeating it.

What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

The proof's in the pudding. Until they actually do take it down, its all just trash talk.

It doesn't help that its a lawyer doing the trash talking either, it seems all too common for people with law-centric world views to be completely out of sync with a world that operates on the principles of physics.

Personally, I think that the fact that it's coming from a lawyer makes it more convincing (and frightening). Note that he's saying you need to get legally creative. That sounds like not-so-subtle code for no-knock raids and extraordinary rendition. I don't care how well written your malware is. It's not gonna help you one bit if when a multibillion dollar corporation convinces the Russian police to disappear you and your buddies.

Indirectly, as it affects their flagship product's reputation for security. If botnets spread unchecked, with most targeting Windows machines almost exclusively, that looks bad for Windows' reputation (even if it's due to moronic users who could manage to infect any given system). Declaring war on the botnets and actively taking them down both helps avoid negative reputation issues for Windows, and build Microsoft's reputation as a company that does the right thing for security, which is especially importan

The thing is you can't realistically go doing no-knock raids on every node in a significant botnet and without a huge level of network monitoring across the globe it's virtually impossible to figure out where a message was initially injected into the network.

So it would appear to me that taking down a competently designed (communication by broadcast messages signed using public key crypto) botnet would be practically impossible.

The thing is, even if your botnet is written perfectly. Are you perfect? Have you never told -anyone- about your malware and where you live? Are you -completely- sure that no one is monitoring your proxy?

It's really hard to answer yes to all of those questions, and that's why microsoft can be successful when they have the resources to throw around that they do.

Which is why you write your botnet clients and infrastructure as if they were created by a coalition of the US government, Microsoft, the RIAA, 4chan, Anonymous, fifteen televangelists, and Steve Jobs.

Then, while it's wreaking havoc and distracting all the wannabe reverse engineers, you steal their socks.

Still, I think they're right - if you can find a control node of some kind, you should be able to shut down any botnet. Botnets are (nearly?) always set up to execute arbitrary code (I don't know of any that aren't) - in fact, most inject more malware while they operate, so injecting a self destruct that plugs whatever security hole(s) the botnet was exploiting should theoretically shut down the net, but it won't remove the malware, which may reinstall a botnet - it may need to be a 2-tier injection - one t

What difference does it make both operate using the same tool set. Microsoft sends out updates via untrusted networks to verify system files and attempts to rectify compromised files. Bot-nets will get you through security issues, 0-day attacks and click happy users.

What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

If Microsoft were better than the botnet people the botnets would not exist in the first place.

First of all, they used the term "virtually indestructable", as opposed to claiming it was wholly or literally indestructable.

Second of all, Microsoft is certainly free to prove them wrong.

My money would be on Microsoft not being willing to spend the time or the resources to make a significant difference... which means that their "throwing down the gauntlet" as it were is just so much hot air.

Indeed, in this case I have to agree fully with Microsoft. That doesn't happen so often.

Of course no botnet is indestructible. Nothing is indestructible. Microsoft themselves are not indestructible, our planet is not indestructible. They're just really strong. Same accounts apparently for this new botnet. It's strong: hides itself really well, uses decentralised command and control, etc. Probably it doesn't even incorporate all weapons botnet makers have at their disposal, and their arsenal is growing. Lik

Probably it doesn't even incorporate all weapons botnet makers have at their disposal, and their arsenal is growing. Like the arsenal of the anti-malware makers as well, of course.

True, but anti-malware makers are always going to be behind the eight-ball for two reasons: (1) they will always be reactionary, and (2) they can't break a computer to "save it" whereas the malware makers don't mind a few casualties.

That's a pretty short term view. People are always patients eventually. The thing with cancer is that it often kills (relatively) quickly compared to the raft of illnesses and disabilities that plague old age. If big pharma could keep people alive for another 30 years on average (not unfeasible in the absence of cancer) they could milk them for all kinds of other ailments. And besides all that - how much do you think people would pay for that one time cure? They could pretty much make up a price, triple it

..the incentive is that if company A doesnt market the cure, then they run the risk of company B doing so first. Unless you presume unilateral collusion (either consciously or unconsciously) then you must presume that no company will hold back a cure (for very long) if they have one.

This is the prisoners dilemma. All parties win the most as long as there is no known cure, but if someone defects and reveals the cure then only the defector wins.

Besides lucrative one-time sales, what incentive do pharmaceutical companies have to actually cure Typhoid? Leprosy? Malaria? Tetanus? Diphtheria? What incenttve is there to offer a one-time cure when they can just lucratively siphon money from people who could suffer from the symptoms of these illnesses until they (possibly) die?

I trust my sarcasm is evident... Smallpox has been wiped off of the planet (outside of contained samples in medical labs for study) thanks entirely to medical cures and tec

That's more-or-less how I see it. On the security side, no matter how good the encryption and overall infrastructure, you always need to worry about the dumbass in the middle attack, i.e., social networking. In the case or organized crime, they are vulnerable to the same tactics that are used to dismantle "brick and mortar" crime organizations. Do some good detective work, catch someone in the organization who knows enough and is ready to rat everyone else out for some leniency, and you can take the botnet

Since malware is currently a Microsoft only problem there is a direct benefit to them to deal with it. Various fanboys will pretend they are unable to read the word "currently" so I'll add it again and pre-empt the crap about Apple, Linux, Solaris, Irix, AIX, BeOS, Amiga, Plan 9 or Atari being potentially vunerable sometime by saying the malware that is rampant NOW is more imporant than theoretical or historical threats.Taking increased measures against malware doesn't really require a lot of resources and

HAHAHA According to Micro$oft, your new and shiny Windows 7 is three times less likely to be botted than old and crufty XP, with infection rate still above 1%. In the real world, however, the infection rate is certainly above this estimate. Also, unlike 7, 98 was kind enough not to spy on you and phone home every day. The reason GP's comment goes well with this crowd is the fact that Windows 7 is a botnet by any sensible definition, made legal via EULA.

Botnets, like most criminal enterprises, have a distinct advantage in that the perpetrators consider themselves above the law.

Their biggest strength is their willingness to exploit weaknesses and perform actions not available to law abiding citizens. The are not, for example, averse to hijacking PCs, hooking up with shady providers, or even flaunting international borders and strongholding in countries like Iran that are outright hostile to US interests and could actually be anywhere from indifferent to ou

The recent media hyperventilation over "indestructible" malware that hides in the master boot record and requires a wipe and reload of the OS to fix - who writes this stuff, and did they ask anyone who knows anything about it? Apparently not.

:

Oh noes; I've got a bad thing in my MBR; what shall I do? Tip: boot to command line (F8 at boot time) and a quick FDISK/MBR will take care of it. So much for that indestructible bullshit...

You really cant fully trust the CD either, and then on top of that there is the far worse firmware issue (both disk and bios firmware can be targeted) which really puts you up shits creek with regards to that whole trust thing.

Yes, you know that. But Joe Average doesn't. Any strategy aimed at defeating botnets that use rootkit techniques has to be aimed at the net itself. Fighting against individual infections is too inefficient and is a losing strategy.

I think the meme of the "indestructible botnet" is just marketing, and people trying to make them or their research more important than it is. The sad thing is that the public seems to believe this nonsense.

In practice, there are problems and killing a large botnet can be difficult. However, once you throw enough resources at the problem. it becomes entirely feasible.

I was with him until he said "People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no'." Until then, it was an obvious "Duh", similar to saying there is no 100% secure real system. And kind of sad that he had to actually tell the media that... how far the media has fallen.

But back to the point, the bad guys are smarter, and better than the good guys. History has proven that over and over again. Just cause you came in after the fact and cleaned up the mess doesn't m

Shutting down a botnet can be rather straightforward, although not necessarily easy. As far as I know, all current botnets are designed to make money for their controllers. This means that shutting them down can be done in the same manner that most organized crime organizations get shutdown, by following the money. What makes this difficult is that many botnets will cross jurisdictional boundaries, at least some of which will not be inclined to be cooperative.

Instead of just saying no, show us no...!!!Show us that it is indestructible by shutting another one down...each time they shut one down through their "special techniques" brings us closer to a spam free world.....so do it already and stop talking about it. Show us you mean business by taking down another botnet....then we can all look at M$ and think , wow...they were right....instead I read the post and thought....so what if they "SAY" no.....show me, was my first thought!!

People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"

If the good guys ever catch up with the bad guys, then the good guys have nothing more to do, because there will be no more plots to foil... until the bad guys get going again. But the bad guys never stop moving, so the good guys are always playing catch up, and so of course it looks like the bad guys are always winning.

But really, the bad guys only win when the good guys can't play catch up anymore. And that hasn't happened. In fact, that's why the bad guys keep moving.

Microsoft has been ownin in the news lately. Still hate using Windows XP and will not ever upgrade to anything else, but still, this and what Gates said about nuclear being the only feasibly sustainable core energy source is pretty win.

Now, do I think that Microsoft is a bit responsible for some of these botnets? Yes. And no. But I tend to take their "nothing is impossible" approach to pretty much anything I do.

....countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically.

And how is it intellectually creative to reply to the phrase "practically indestructible" with that? They said PRACTICALLY, not "COMPLETELY INDESTRUCTIBLE" or anything like that. Way to miss the important quantifier in the statement they claim to be countering.

Yes, let's have a LAWYER tell us about how all botnets can be taken down. The phrase "If someone says that a botnet is indestructible, they are not being very creative legally" has got to be the goddamn funniest quote of the month! It's a botnet, not an ordinance. I don't give a damn how "legally creative" you get. You can't apply human laws as if they were universal laws of physics. Some young adult in China running a headless botnet via P2P C&C using anonymizing routers is beyond your insignifica

Microsoft and bot net operators... sorry, I am lost. Where are the good guys that were mentioned?

They're characters of the legends and folklore... the mention was ""To say that it can't be done underestimates the ability of the good guys," (like in "the abilities of the good guys must never be underestimated" they are demi- or full-time Gods or at least Spiderman).

WTF? Nobody said anything about Ballmer and what was said is common logic. if a machine isn't bricked it can be fixed, end of story. As someone that cleans PCs 6 days a week I can tell you this is a fact and while it is often faster to nuke it isn't the only way to get the job done.

For those that are infected, or are having to clean a friend or relative that is infected MSFT has a nice new free tool to help you out, I tripped over it a couple of weeks back on one of my favorite freeware sites and after givi

Reinstalling the infected machine is the only way to get the job done and be 100% sure it has been done. Even if you boot from a clean CD you can't be sure MS's tool with clean everything. Windows doesn't even have a package manager that will let you checksum all files provided by a package so it's all a big mess.

You might get 90% coverage with MSSS on the day it is released but that will go down fast once the bad guys adapt to it.

Reinstall it, put a real firewall in front of it not the MS firewall nonsense

While I agree with you 110%, sometimes the customer simply isn't willing to pay the costs of having ALL their data backed up, which on some of these machines can take hours. We are talking multiple users with multiple docs and videos and music and....well that can take a hell of a lot of time.

So you do what you can, you warn them there is no way to be 100% sure, then you do what you have to do. With the economy in the toilet there is a lot of folks out there that simply can't afford my $35 an hour to sit th

Removing the botnets from individual systems was never the quote or discussion to begin with. It's a known fact that with enough time an energy any infected system can be cleaned, though it is very difficult to be positive of when everything has been found. The greater issue is behind the quote however, the discussion was never about taking out individual machines on a one at a time basis, but if they can do like they did to similar botnets as far as decapitating the controller to stop the botnet from sprea

Exactly this. The botnet makers don't care what some lawyer says, but you can bet your last dollar that they're already trying to make their botnets as bullet proof as possible. Why wouldn't they? It's their source of revenue and the longer a botnet can evade takedown the more money it generates. The real issue the "good guys" face is that a lot of the time they're having to be reactive instead of proactive (and this is where better OS security, better education of users and good, free, easy to use security

I'd like to meet these lawyers who work hard. Having worked with many and known several personally, they generally don't know anything about "hard word." Don't confuse long days of web browsing, bullshitting, lunching, and boozing it up with anything close to "hard work."

TV shows and movies have painted a very wrong picture of lawyers at work.

It depends on the lawyer. Your view seems rather jaded. From my experience, most PEOPLE don't know anything about hard work (by your definition) at least in the professional sector or anything outside a factory job. Retail and office work, it seems rampant to have excessive down time. That said, I also know some very hard working lawyers. A lot of succeeding in life has to do with luck and who you know, but a lot of it also has to do with just actually working hard.

Now observation and discussion means one is jaded? Likely you're just uninformed. Very, very uninformed. My opinion exists specifically because that's the opinion TOLD to me be actual lawyers. It was re-enforced by observing their work day while I was working.

Really people, get off your high horses. The world does not exist in utopia. In the real world, lots and lots of people are paid shit loads of money for doing very little - and frequently while doing a shit job of that. That's the REAL world. Obviously

I have multiple family members who are lawyers or work closely with them. How many different firms did you have experience with? Business culture tends to make fairly unified conditions within an organization. I'm also 100% agreeing with you on your last paragraph. My point was mostly that a) it isn't just lawyers that get paid for wasting a lot of their time and b) the bad eggs always stand out and c) just because there may even be a lot of bad eggs doesn't mean there are not good ones or that the enti

I beg to differ. A good friend of mine went to law school and is now in his third year as an associate at a major law firm. He works something like 60 hours a week on average to make sure that he hits his goal of 40 billable hours a week. During three years of law school, I saw him a grand total of about four times and when I DID see him, he was studying (at all hours, Saturday, Sunday, late at night, you name it). I feel sorry for the guy. He's very well paid, but he never has any time to spend it. H

You're very confused. You're confusing school work with a professional life.

Established layers is what I'm talking about. Non-lawyers do 80% of the work in the legal profession. Most lawyers do little actual work. What work they claim to do is largely done but wanna-be lawyers, students, so on and so on.

As for the work 60-hours to bill 40-hours - he's absolutely doing something wrong. Most lawyers will bill you if they think about your case while they are taking a crap. If he worked 60-hours and didn't bill

I mentioned Balmer because he is the main head of the Hydra that Microsoft is. I'm sorry for laying the blame squarely at the feet of the CEO, in future I'll lay the blame a the feet of the guys working in the call centre. Or maybe the lawyers they buy for a dime a dozen.

I mentioned Balmer because he is the main head of the Hydra that Microsoft is. I'm sorry for laying the blame squarely at the feet of the CEO, in future I'll lay the blame a the feet of the guys working in the call centre. Or maybe the lawyers they buy for a dime a dozen.

If you have an issue with the statement, you could mention the statement and the lawyer who it is attributed to, Richard Boscovich. That would suffice. You did not even have to read the article, the name was right there in the (inflammatory) summary.

No one said TDL4 can't be cleaned from a single PC. Cleaning it from all of them near-simultaneously is what you would have to do to destroy this botnet. The MSRT tool is not capable of performing the steps you described.

BTW your steps could still leave malware on the system unless you are a forensic/malware expert and can tell good processes from bad in ProcessExplorer. It's not so easy as you make it seem. Even if you are that experienced in process analysis, there could still be other kernel-level rootki

You missed the point. Yes, TDL4 malware can be cleaned manually, no one is disputing that. The entire system could be forensically sanitized - manually - using the recovery console or a liveCD. It could take a long time depending on how many payloads had been downloaded and how well they hide. But this is not enough to kill the botnet unless you do this to 4.5 million PCs all at once. I never said your TDL-4 removal steps were incorrect, I just said they would not "kill the botnet", which is what Microsoft

Any software program more complicated than "Hello World" have exploitable weaknesses. If you were to demand that no software should be released until it is 100% exploit free there would be no software to release. While killing the bot masters is a little extreme to say the least the suggestion of following the money is a good strategy. Analyze the behavior of the bot and try to define the purpose of the bot, which is undoubtedly to make money for someone for something. Attacking the beneficiaries of the bot

If someone make a self replicating botnet w/o C&C it could be indestructible. Make it look at chat streams from victms for domains to DDoS, then distribute that via a p2p network using port 443 (and 22) and self signed certs. Every node then attacks the most common one in a 2 hour period, and then ignores that domain for up to one month.

Well if that part were easy I would imagine grey hats/vigilantes would have done that by now. Though it would depend largely on what self destructing would entail. Self destructing as in the botnet removes itself from the infected computers, or self destructing as in having the botnet completely format infected systems.

While ever it couldn't be used to secure the hardware against you, we'd never see the end of botnets - so no, TCP is not the answer if you want the squishy meatbag behind the keyboard to be able to override it. The second you give the user autonomy, no matter how secure your system is, you've lost. The malware writers will focus their energies on "socially engineering" the user into installing stuff for them, instead. Personally I'd rather live in an imperfect world where we have botnets but aren't lumbered

That's not true. I'm no Microsoft apologist (I run OpenBSD and Linux) but Microsoft has some of the smartest people out there. The problem is, those people are neatly compartmentalized, in the form of Microsoft Research. Much of their work is highly regarded in the compsci community. But Microsoft-the-software-company often fails to see the potential of their work. I suspect that Microsoft's "don't rock the boat" approach is an official business strategy.